Security

Standards for reliable and secure communications

A secure digital life for users, businesses and societies

Information security standards are essential to ensure interoperability among systems and networks, compliance with legislation and adequate levels of security. These standards provide a means for protecting the user, creating a more secure and profitable environment for the industrial sector, from SMEs to large global companies, and providing benefits for a diverse range of interest groups that include government organizations, research bodies and universities.

The rapid evolution and growth in the complexity of new systems and networks, coupled with the sophistication of changing threats, present demanding challenges for maintaining the security of Information and Communications Technologies (ICT) systems and networks. Security solutions must include a reliable and secure network infrastructure, but they must also protect the privacy of individuals and organizations. Security standardization, sometimes in support of legislative actions, has a key role to play in protecting the Internet and the communications and business it carries.

Our Cyber Security committee (TC CYBER) is addressing many of these issues. Building on our previous work, we are defining metrics for the identification of critical infrastructures, addressing issues such as the impact of a successful attack on a critical infrastructure, categorization of the critical infrastructure, its dependencies and interdependencies, reporting and registration and access control.

We continue to address privacy, in response to European Commission (EC) standardization request M/530 on Privacy by Design, and in co-operation with the European Committee for Standardization (CEN) and the European Committee for Electrotechnical Standardization (CENELEC).

Our work on Attribute-Based Encryption (ABE) is ongoing. By mid-2018 we plan to publish specifications on the application of ABE for data protection on smart devices, Cloud and mobile services, and on the standard features needed to use ABE as Attribute Based Access Control.

We have published a Technical Report (TR) on the implementation of the European Union's Network and Information Security Directive, which identifies existing standards and where new standards are needed in support of the directive, particularly around critical infrastructure protection.

Our working group on quantum-safe cryptography brings the activities of our former Industry Specification Group (ISG) on Quantum-Safe Cryptography (ISG QSC) into mainstream ETSI standardization. It is working on proposals for quantum safe key exchange schemes and signature schemes, and recommendations on the impact of integrating quantum-safe algorithms into Virtual Private Network technologies.

Quantum Key Distribution (QKD) enables digital keys to be shared privately without relying on computational complexity. The security offered by QKD will not be vulnerable to future advances in algorithms, computational power or the emergence of a quantum computer. With QKD, security keys are shared over optical fibre or free space links encoded on single photons or weak pulses of light. Demonstrator networks are now being constructed in several locations around the world and standards are needed urgently to enable adoption of these new security technologies.

Our ISG on QKD is developing standards for the quantum communications industry that will promote and shape the market.

Ongoing work includes the characterization of the optical output of QKD transmitter modules, QKD deployment parameters, and a specification on the design, construction, characterization and operation of QKD systems to protect against Trojan horse attacks.

Standards to support the use of electronic signatures and public key certificates are a key driver in enabling the successful evolution of electronic commerce. Our Electronic Signatures and Infrastructures committee (TC ESI) is responsible for standardization in the areas of electronic signatures and Public Key Infrastructure (PKI). Our standards and specifications are harmonized with the new 'eIDAS Regulation' on electronic identification and trust services for electronic transactions in the internal market.

Smart Cards are an important enabler in applications where a user's credentials are used for authentication and secure communication. Our Smart Card Platform committee (TC SCP) standardized the Subscriber Identity Module (SIM) card for GSM, which is one of the most widely deployed smart cards ever.

The main task of our SCP committee is to develop and maintain specifications for the Secure Element (SE) and its interface to the outside world for use in telecommunication systems, for general telecommunication purposes as well as for Machine-to-Machine (M2M)/Internet of Things (IoT) communications. As these specifications are generic and application-agnostic, they can also be used as specifications for any application designed to reside in an SE, for its interface to the outside world and the ecosystem in which it is embedded.

Our Secure Element specifications are widely used by the industry and certification bodies, and the maintenance and technical improvement of these specifications, as well as the continuous updating of our test specifications to cover new features and functions, therefore form a significant part of our work in this area. We are therefore upgrading our existing test specifications, as necessary, to cover new releases of the respective core specifications and we will review our test descriptions to take into account experience gained in the field.

ETSI is a global leader in the provision and maintenance of security algorithms. Our Security Algorithms Group of Experts (SAGE) is widely recognized for its work on authentication and encryption mechanismsfor different technologies.

Authentication and encryption mechanisms are developed by ETSI for various technologies. These include GSM/UMTS, LTE (through 3GPP), TETRA, DECT and RFID.

Also for the IoT, our Partnership Project for M2M and IoT standards, oneM2M, has developed a set of security features as part of its service layer solution, features including provisioning, authentication, authorization and establishing secure communications.

ETSI's ISG on Information Security Indicators publishes guidelines for testing the effectiveness of security risk detection capabilities. Together with the specifications those guidelines form a reference model for the measurement of information security risks and enable organizations to assess themselves and benchmark their level of assurance and the effectiveness of their security measures.

ETSI produces and maintains a suite of standards for Lawful Interception and Retained Data within the Lawful Interception committee (TC LI). This work is crucial to preserve national security, to combat terrorism and in the investigation of serious criminal activities. TC LI work focuses on the technical aspects related to the handover interface and service-specific details for Internet Protocol (IP) delivery.

Our Intelligent Transport Systems committee (TC ITS) produces standards to support the development and implementation of communications and services for intelligent transport systems across the network, for transport networks, vehicles and transport users. These include covering security aspects related to securing vehicle-to-vehicle and vehicle-to-infrastructure communications, such as to prevent eavesdropping and malware.

Broadcasting technologies deliver radio, television and data services. ETSI performs security work in this area, including encryption techniques to protect the broadcasting content. This is performed in JTC Broadcast, which brings the Institute together with the European Broadcasting Union (EBU) and the European Committee for Electrotechnical Standardization (CENELEC), and in our ISG ECI, developing an embedded common interface for exchangeable CA/DRM solutions.

We organize an annual Security Week which addresses issues raised by the latest technological advances.